[Freeipa-users] Web UI Authentication errors - revisited

Dmitri Pal dpal at redhat.com
Fri Mar 6 01:21:19 UTC 2015 

On 03/05/2015 08:09 PM, Dan Mossor wrote:
>
>
> On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 03/05/2015 07:36 PM, Dan Mossor wrote:
>>     On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofsatx at gmail.com
>>     <mailto:danofsatx at gmail.com>> wrote:
>>
>>
>>
>>         On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <dpal at redhat.com
>>         <mailto:dpal at redhat.com>> wrote:
>>
>>             On 03/05/2015 05:51 PM, Dan Mossor wrote:
>>>             As an additional test, I created a new user on my
>>>             workstation and switched to it. the first thing I did
>>>             was kinit as admin, then started Firefox, went through
>>>             the browser configuration provided by the IPA server,
>>>             and attempted to log in. I received the same error[1].
>>>
>>>             [1]http://i.imgur.com/mhX86Ng.png
>>>
>>>
>>             Have you checked times and time zones on the client and
>>             on the server?
>>
>>             -- 
>>             Thank you,
>>             Dmitri Pal
>>
>>             Sr. Engineering Manager IdM portfolio
>>             Red Hat, Inc.
>>
>>
>>         The server is set for GMT time, whereas the client is set for
>>         local time, US Central Standard Time. Except for that
>>         difference, they are within 1 second of each other.
>>
>>         Dan
>>
>>     As an experiment after this email exchange, I switched the server
>>     to Central Standard Time using timedatctl. I then ran kinit
>>     again, and attempted to log into the GUI. There was no change - I
>>     still cannot access the GUI. Here is the krb5kdc.log from the period:
>>
>>     Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
>>     NEEDED_PREAUTH: host/dmfedora.rez.lcl at REZ.LCL
>>     <mailto:host/dmfedora.rez.lcl at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>>     <mailto:krbtgt/REZ.LCL at REZ.LCL>, Additional pre-authentication
>>     required
>>     Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>>     authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
>>     host/dmfedora.rez.lcl at REZ.LCL
>>     <mailto:host/dmfedora.rez.lcl at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>>     <mailto:krbtgt/REZ.LCL at REZ.LCL>
>>     Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>>     authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
>>     host/dmfedora.rez.lcl at REZ.LCL
>>     <mailto:host/dmfedora.rez.lcl at REZ.LCL> for
>>     ldap/vader.rez.lcl at REZ.LCL <mailto:ldap/vader.rez.lcl at REZ.LCL>
>>     Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
>>     NEEDED_PREAUTH: admin at REZ.LCL <mailto:admin at REZ.LCL> for
>>     krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>,
>>     Additional pre-authentication required
>>     Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>>     authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL
>>     <mailto:admin at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>>     <mailto:krbtgt/REZ.LCL at REZ.LCL>
>>     Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH:
>>     repeated (retransmitted?) request from 10.1.1.15, resending
>>     previous response
>>     Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
>>     Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>>     NEEDED_PREAUTH: HTTP/vader.rez.lcl at REZ.LCL
>>     <mailto:HTTP/vader.rez.lcl at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>>     <mailto:krbtgt/REZ.LCL at REZ.LCL>, Additional pre-authentication
>>     required
>>     Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
>>     authtime 1425601784, etypes {rep=18 tkt=18 ses=18},
>>     HTTP/vader.rez.lcl at REZ.LCL <mailto:HTTP/vader.rez.lcl at REZ.LCL>
>>     for krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>
>>     Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
>>     NEEDED_PREAUTH: admin at REZ.LCL <mailto:admin at REZ.LCL> for
>>     krbtgt/REZ.LCL at REZ.LCL <mailto:krbtgt/REZ.LCL at REZ.LCL>,
>>     Additional pre-authentication required
>>     Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
>>     authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL
>>     <mailto:admin at REZ.LCL> for krbtgt/REZ.LCL at REZ.LCL
>>     <mailto:krbtgt/REZ.LCL at REZ.LCL>
>>     Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
>>     etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
>>     authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL
>>     <mailto:admin at REZ.LCL> for HTTP/vader.rez.lcl at REZ.LCL
>>     <mailto:HTTP/vader.rez.lcl at REZ.LCL>
>>
>>
>>     One thing I did determine is the authtime in the krb5kdc log is
>>     epoch time. I checked it, and it translates directly to the
>>     standard time.
>>
>>     Dan
>
>     Hm. OK.
>
>     I do not think there was ever mentioned which version of the
>     server and client you are running but based on the UI it seems
>     like the latest.
>     Also you are trying to log in after using kinit. Can you log using
>     forms based authentication or it does not work too?
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
> I can't seem to locate the form based authentication for 4.1.2-1 - I 
> was going to try that in order to add the information to this thread, 
> but I can find no reference as to where it is and I can't find it 
> manually on the file system. Can you give me the default URL for it?
>
> freeipa-server-4.1.2-1.fc21.x86_64
> freeipa-client-4.1.2-1.fc21.x86_64
>
> Dan
http://i.imgur.com/mhX86Ng.png

It should show up if you do not have a ticket. Destroy the ticket on the 
client and try  to access the server via browser, you should be redirected.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/9739631a/attachment.htm>

More information about the Freeipa-users mailing list